dmap-jsapi-skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied unchanged, a web app may execute map library code from an unverified or environment-specific server.
The guide's quick start loads the DMap JavaScript SDK from a hard-coded HTTP private-IP endpoint. Loading a map SDK is expected for this purpose, but users should verify the host and prefer trusted HTTPS distribution.
<script type="text/javascript" src="http://172.26.64.84/dmapapi/bj2000/v1.0/dmap-gl.js"></script>
Replace the sample endpoint with the user's approved DMap service/CDN, use HTTPS where possible, and consider integrity or trusted deployment controls.
Untrusted map data could display as executable HTML or script in the user's web page if copied without sanitization.
The example renders feature data into popup HTML. This is a normal map API capability, but if feature properties come from untrusted GeoJSON or tiles, raw HTML insertion can create XSS risk.
.setHTML(`<h3>${feature.properties.name}</h3>`)Use text-only popup APIs when available, escape/sanitize dynamic values before setHTML, and treat external map data as untrusted.
A copied example may prompt users for precise location access and continue tracking while the map control is active.
The guide includes an example that requests high-accuracy browser geolocation and tracks the user's location. This is purpose-aligned for maps, but it is sensitive and should remain user-controlled.
new dmapgl.GeolocateControl({
positionOptions: { enableHighAccuracy: true },
trackUserLocation: true
})Enable geolocation only for features that need it, clearly disclose location use, and provide a way to stop tracking.